svySecurity/UX 2024.3.0 issue

Hi,
I’ve just spent a frustrating amount of time trying to sort out what I thought was something I had messed up, but I now think it is an issue with the latest release of Servoy & svySecurity.
I am using (as I thought it the ‘best practice’ way) the svySecurity module with my solution(s) [which are themselves based on the Sample application].
To check that I wasn’t going mad, I installed a fresh copy of Servoy 2024.3.2, then let it create the default database stuff, then imported the Sample application.
On launch, this automatically fills in ‘admin’ for all login items and I can get in to the system.
If I then use the Security section, go to Users, pick the ‘admin’ user and then edit it, I can then ‘reset password’, which then runs (this code)

    var user = scopes.svySecurity.getUser(user_name, tenant_name);
...
    var newPwd = '';
    while (!newPwd || (newPwd.search(/[\/\+]/) != -1)) {
        newPwd = utils.stringMD5HashBase64(application.getUUID().toString()).substr(2, 8);
    }
    user.setPassword(newPwd);

and then displays a dialog with the generated password. I then copied that password, logged out and tried to log back in again, changing the ‘admin’ password to the new one and it fails, saying the password is incorrect!!
(it checks like this)

    this.checkPassword = function(password) {
...
        return utils.validatePBKDF2Hash(password, record.user_password);
    }

There is new documentation for the way svySecurity now generates passwords (for this call ```
record.user_password = utils.stringPBKDF2Hash(password, 10000);

> utils.stringPBKDF2Hash(textString, iterations): String
> 
> Returns the PBKDF2 hash for specified text. This method is preferred above the old MD5 hash for enhanced security.
> From Servoy 2024.3.1 on this method will use SHA256 (HmacSHA256) as the Hash Algorithm.
> Before that it did use SHA1 (HmacSHA1) as the Hash Algorithm, this does result in the a different length of the hash.
> The total hash length (including interations of 9999) for SHA256 is 87 that was 63. So you need to make sure you can store at least 87 characters in your database. (but make sure you can handle more for future updates)
> 
> NOTE: PBKDF2 is the key hash function for the PKCS (Public-Key Cryptography) standard, for more info see: <a class="postlink" href="http://en.wikipedia.org/wiki/PBKDF2">http://en.wikipedia.org/wiki/PBKDF2</a>
> var hashed_password = utils.stringPBKDF2Hash(user_password,9999)

I think that something has gone wrong with this new way of generating the stored password that needs looking in to...
(I managed to get back in by pasting in to back-end a copy of the hated admin password from another solution...)

I am happy to be told I have done something stupid, but I changed nothing after installing clean stuff, so, with the utmost respect, but did no one do any QA testing on the sample application with the latest release??

[EDIT] The original reason I thought I'd made a mistake was that I was trying to allow my users to be able to set the password themselves instead of a random string, so I changed the code to 

var newPwd = plugins.dialogs.showInputDialog('New Password','Please create a new password...');
if (( newPwd != null ) && ( newPwd != '' )) {
	user.setPassword(newPwd);
    plugins.dialogs.showInfoDialog('User password has been reset', utils.stringFormat('The password for user <b>"%1$s"</b> from tenant <b>"%2$s"</b> has been reset.

The new auto-generated password is:

%3$s

Provide the new password to the user.', [user_name, tenant_name, newPwd]));
} else {
plugins.dialogs.showInfoDialog(‘Not Reset!’,‘Password was not reset as nothing was entered…’);
}

And then that stopped working, so I thought I'd made a mistake...
[/EDIT]

Thanks
Rafi

Hi Rafi,

probably you are hit by this: https://docs.servoy.com/release-notes/r … -2024.03.1

There you can read:

We also upgraded the PBKDF2Hash hashing function from HmacSHA1 to HmacSHA256. This does mean that the length of the hash string that is returned will be bigger, depending on the iterations (default 9999) this will be a now at least 86 chars instead of 63 chars. So if a password hash column was created that is less then 90 please have a look do an alter table on that column and make it at least 200 chars to also support it better in the future. SvySecurity by default had a size of 63, this is changed, but as an existing user its very possible that an alter table needs to be done.

If you had a previous svySecurity DB, your password has column is too small. Make it 150 chars or whatever and you should be future proof.

Hi Patrick,
thanks for the suggestion, but both the old solution & the brand new, freshly created from Servoy, tables have user_password set to 250 characters, so not that…
(please feel free to do a clean/fresh install of 2024.3.2 & then Sample & see what happens…)
Thanks

That is very weird. I am not currently using svySecurity, but a quick test gave me this:

[attachment=0]Screenshot 2024-06-14 183327.png[/attachment]

Thanks for quick reply Patrick, but the password you generated is not what you put in the ‘validate’ so don’t understand what you are showing here??

yes, it is. I hash “mySuperPw” with 10000 iterations as svySecurity creates and stores it and it outputs this as salt:iterations:hash and then I validate that using “mySuperPw” and that salt:iterations:hash again which returns true.

My humble apologies!
It appears that Servoy was showing the column as being length 250, but when I looked directly at the back-end, the column was set to 64 and there was a warning in Servoy about a column difference!
However, that was still using the default install of Servoy and the svySecurity module import that set it to that value, so please can the creation of the defaults svySecurity table be updated to create the correct column sizes??
I just updated clean sample table to 250 chars, tried changing password and it now works!
[I had done something stupid ]
Have a good weekend
Thanks!
Rafi